1/* 2 * Kernel module to match various things tied to sockets associated with 3 * locally generated outgoing packets. 4 * 5 * (C) 2000 Marc Boucher <marc@mbsi.ca> 6 * 7 * Copyright © CC Computer Consultants GmbH, 2007 - 2008 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License version 2 as 11 * published by the Free Software Foundation. 12 */ 13#include <linux/module.h> 14#include <linux/skbuff.h> 15#include <linux/file.h> 16#include <net/sock.h> 17#include <linux/netfilter/x_tables.h> 18#include <linux/netfilter/xt_owner.h> 19 20static bool 21owner_mt(const struct sk_buff *skb, const struct xt_match_param *par) 22{ 23 const struct xt_owner_match_info *info = par->matchinfo; 24 const struct file *filp; 25 26 if (skb->sk == NULL || skb->sk->sk_socket == NULL) 27 return (info->match ^ info->invert) == 0; 28 else if (info->match & info->invert & XT_OWNER_SOCKET) 29 /* 30 * Socket exists but user wanted ! --socket-exists. 31 * (Single ampersands intended.) 32 */ 33 return false; 34 35 filp = skb->sk->sk_socket->file; 36 if (filp == NULL) 37 return ((info->match ^ info->invert) & 38 (XT_OWNER_UID | XT_OWNER_GID)) == 0; 39 40 if (info->match & XT_OWNER_UID) 41 if ((filp->f_cred->fsuid >= info->uid_min && 42 filp->f_cred->fsuid <= info->uid_max) ^ 43 !(info->invert & XT_OWNER_UID)) 44 return false; 45 46 if (info->match & XT_OWNER_GID) 47 if ((filp->f_cred->fsgid >= info->gid_min && 48 filp->f_cred->fsgid <= info->gid_max) ^ 49 !(info->invert & XT_OWNER_GID)) 50 return false; 51 52 return true; 53} 54 55static struct xt_match owner_mt_reg __read_mostly = { 56 .name = "owner", 57 .revision = 1, 58 .family = NFPROTO_UNSPEC, 59 .match = owner_mt, 60 .matchsize = sizeof(struct xt_owner_match_info), 61 .hooks = (1 << NF_INET_LOCAL_OUT) | 62 (1 << NF_INET_POST_ROUTING), 63 .me = THIS_MODULE, 64}; 65 66static int __init owner_mt_init(void) 67{ 68 return xt_register_match(&owner_mt_reg); 69} 70 71static void __exit owner_mt_exit(void) 72{ 73 xt_unregister_match(&owner_mt_reg); 74} 75 76module_init(owner_mt_init); 77module_exit(owner_mt_exit); 78MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>"); 79MODULE_DESCRIPTION("Xtables: socket owner matching"); 80MODULE_LICENSE("GPL"); 81MODULE_ALIAS("ipt_owner"); 82MODULE_ALIAS("ip6t_owner"); 83